While Oracle does a fine job fixing holes, bugs, and vulnerabilities, at the end of the day do users actually patch all the issues. Attackers know the answer to that one: No.

Attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities, researchers said. It’s a concern, especially for companies like Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to reverse engineer. Again, that works because users do not always patch.

Microsoft is very good at getting users to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers focus most of their attention on older flaws for which there are already patches.

Research from Microsoft shows there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity centered on patched vulnerabilities in Java. Part of the reason for this may be attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.

“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723,” said Microsoft’s Jeong Wook Oh. “The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities.”

“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7,” the Microsoft researcher said. “So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”

Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a Zero Day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications.